Seal of the Commonwealth of Massachusetts
Massachusetts Audit Explorer - what the State Auditor found

← all audits

Audit of the Massachusetts State College Building Authority (June 18, 2025)

June 18, 2025 · Massachusetts State College Building Authority · Read the full official report on mass.gov ↗

Published June 18, 2025 Audit covers July 1, 2022 – June 30, 2024 Under Diana DiZoglio · 2023–present

In plain English
The auditor found that the Massachusetts State College Building Authority did some things properly, including checking residential building safety, but had problems with supplier diversity goals, emergency planning, internal controls, and computer system security.
source
“MSCBA did not have adequate information system general controls over its accounting and project management system.”
Read the plain-English breakdown
What is this?

This is a state performance audit of the Massachusetts State College Building Authority, covering July 1, 2022 through June 30, 2024.

“In accordance with Section 12 of Chapter 11 of the Massachusetts General Laws, the Office of the State Auditor (OSA) has conducted a performance audit of the Massachusetts State College Building Authority (MSCBA) for the period July 1, 2022 through June 30, 2024.”
Why was it audited?

Auditors checked whether the authority met supplier diversity benchmarks, monitored campus housing health and safety, and fixed prior problems with its business continuity plan and internal control plan.

“The purpose of our audit was to determine the following:”
Why it matters

The authority oversees major student facilities and large amounts of student-funded construction and operations, so weak planning, controls, or cybersecurity can affect public money, campus services, and system safety.

“MSCBA oversees residence halls that house approximately 16,500 students across 54 residential complexes.”
What's in it for me?

If you are a Massachusetts student, parent, taxpayer, or campus community member, this report tells you whether student housing and related public-college facilities are being overseen responsibly.

“Instead, all revenue used to support the design, construction, and operation of MSCBA facilities is generated through rents and fees paid by students for the use of these facilities and related services.”
The bottom line

The authority needs stronger procedures for diverse vendor spending, emergency continuity planning, risk management, and IT controls. Auditors found campus residential safety monitoring was satisfactory.

“Below is a list of our audit objectives, indicating each question we intended our audit to answer; the conclusion we reached regarding each objective; and, if applicable, where each objective is discussed in the audit findings.”
What happens next

The authority said it is taking steps to improve, and the auditor plans to check back in about six months.

“As part of our post-audit review process, we will follow up on this matter in approximately six months.”
Jargon, unpacked

A business continuity plan is the authority’s playbook for keeping essential work going during a disruption or disaster. An internal control plan is the way an organization identifies risks and puts safeguards in place. Supplier diversity benchmarks are spending targets for doing business with certified diverse vendors.

“Without a comprehensive BCP, MSCBA cannot ensure that it has adequate procedures in place to protect critical information assets or to recover essential operations in the event of a disruption or disaster.”

6 figure(s) pending source verification - not shown

What the Auditor checked

What the Auditor found

MSCBA did not ensure that it met annual diverse supplier spending benchmarks.
procurement/contractsvendor oversight

Why it matters: MSCBA limited its ability to evaluate and improve the effectiveness of its efforts to promote diversity in procurement.

Standard: Supplier Diversity Office benchmark policy for diverse and small business spending. ( The Commonwealth of Massachusetts Diverse and Small Business Program Policies for Goods and Services Procurements )

2 recommendations
  • MSCBA should develop, document, and implement policies and procedures to effectively monitor the extent to which it achieves SDO annual benchmarks for diverse supplier spending.agency: agreed
  • MSCBA should develop strategies aimed at enhancing the participation of diverse businesses in its procurement process.agency: agreed
Agency response & Auditor reply
Agency: "Moving forward, the Authority intends to improve its process for monitoring and reporting of direct and indirect spending on a fiscal year basis; consider amending existing contracts when new diversity benchmarks are released by the state; expand outreach to diverse vendors in non-construction cost categories of work; and consider incorporating additional spending benchmarks for businesses owned by LGBTQ individuals and individuals with disabilities."
Auditor: "Based on its response, MSCBA is taking measures to address our concerns regarding this matter."
MSCBA’s business continuity plan was missing critical components.
cybersecurityinternal controls

Why it matters: MSCBA may not be able to protect critical information assets or recover essential operations after a disruption or disaster.

Standard: Executive Office of Technology Services and Security Business Continuity and Disaster Recovery Standard IS.005. ( EOTSS’s Business Continuity and Disaster Recovery Standard IS.005 )

1 recommendation
  • MSCBA should update its BCP to include all critical components outlined by EOTSS.agency: agreed
Agency response & Auditor reply
Agency: "Moreover, the Authority is committed to continuing to develop and refine the BCP so that it is continually focused on improving the Authority’s response in the event of a disruption or disaster."
Auditor: "However, as noted above, MSCBA’s BCP remains incomplete and does not fully align with the requirements established by EOTSS."
MSCBA’s internal control plan was not based on an agency-wide risk assessment and lacked enterprise risk management elements.
internal controls

Why it matters: MSCBA is limited in its ability to identify vulnerabilities that could prevent it from achieving organizational goals.

Standard: Chapter 647 of the Acts of 1989 and the Office of the Comptroller of the Commonwealth’s Internal Control Guide. ( Chapter 647 of the Acts of 1989; CTR’s Internal Control Guide )

2 recommendations
  • MSCBA should develop an ICP based on a current agency-wide risk assessment that includes all aspects of its business activities.agency: agreed
  • After completing its ICP, MSCBA should ensure that the ICP is communicated to all employees, used within its operations, and reviewed and updated at least annually.agency: agreed
Agency response & Auditor reply
Agency: "The Authority will review its internal controls documents, as well as suggested guidance from CTR and other authorities, consistent with the Committee of Sponsoring Organizations (COSO) framework to further develop a single comprehensive plan for all the critical components of enterprise risk management."
Auditor: "Based on its response, MSCBA is taking measures to address our concerns regarding this matter."
MSCBA did not adequately document management approval for employee system access rights.
cybersecurityinternal controls

Why it matters: MSCBA lacked verification that users were approved to access the system and had only the privileges necessary for their job duties.

Standard: EOTSS Access Management Standard IS.003. ( EOTSS’s Access Management Standard IS.003 )

1 recommendation
  • MSCBA should ensure that documented records are kept to evidence supervisory approval for system user rights for its accounting and project management system.agency: agreed
Agency response & Auditor reply
Agency: "The Authority acknowledges that it can improve the documentation of this portion of the process and is currently investigating and discussing further enhancements to the Authority’s existing processes."
Auditor: "Based on its response, MSCBA is taking measures to address our concerns regarding this matter."
MSCBA could not provide evidence that employees completed cybersecurity awareness training.
cybersecurityrecordkeeping/documentationinternal controls

Why it matters: MSCBA is exposed to increased risk of cyberattacks and financial or reputational losses.

Standard: EOTSS Information Security Risk Standard IS.010. ( EOTSS’s Information Security Risk Standard IS.010 )

1 recommendation
  • MSCBA should develop and implement policies and procedures to ensure that all employees receive cybersecurity awareness training within 30 days of orientation and annually thereafter.agency: already implemented
Agency response & Auditor reply
Agency: "Since the informal exit conference with the OSA, the Authority has retrained all staff via its provider’s Learning Management System and has current certificates of completion."
Auditor: "Based on its response, MSCBA is taking measures to address our concerns regarding this matter."
MSCBA was missing documentation for a required background check.
recordkeeping/documentationcybersecurityinternal controls

Why it matters: MSCBA assumes a higher-than-acceptable risk of hiring individuals who may pose security threats to systems and data.

Standard: MSCBA Employee Handbook background check requirement. ( Section C of MSCBA’s Employee Handbook )

1 recommendation
  • MSCBA should ensure that all employees with access to confidential information undergo background checks, as required by its policy.agency: agreed
Agency response & Auditor reply
Agency: "The omission of a singular employee was in error."
Auditor: "Based on its response, MSCBA is taking measures to address our concerns regarding this matter."
MSCBA did not promptly revoke access rights to its accounting and project management system.
cybersecurityinternal controls

Why it matters: Former employees could improperly access or change information in the system.

Standard: EOTSS Access Management Standard IS.003. ( EOTSS’s Access Management Standard IS.003 )

1 recommendation
  • MSCBA should ensure that system privileges are revoked within 24 business hours of termination.agency: agreed
Agency response & Auditor reply
Agency: "Moving forward, the Authority will make operational changes to ensure timely revocation of access for separated employees."
Auditor: "Based on its response, MSCBA is taking measures to address our concerns regarding this matter."
MSCBA did not have session lock mechanisms in place.
cybersecurityinternal controls

Why it matters: Users may remain logged on indefinitely, increasing the risk of unauthorized access and reducing monitoring and control over system activity.

Standard: EOTSS Access Management Standard IS.003. ( EOTSS’s Access Management Standard IS.003 )

1 recommendation
  • MSCBA should configure both its network and its accounting and project management system to lock out after a five-minute period of inactivity.agency: partially agreed
Agency response & Auditor reply
Agency: "Since the OSA informal exit conference, based on the recommendation of its IT network service provider . . . the Authority has implemented a procedure by which automatic lockout is initiated after 15 minutes of inactivity."
Auditor: "Based on its response, MSCBA is taking measures to address our concerns regarding this matter."
MSCBA did not have a documented configuration management policy.
cybersecurityinternal controls

Why it matters: The accounting and project management system is vulnerable to misconfigurations, security threats, and performance issues.

Standard: EOTSS Operations Management Standard IS.012. ( EOTSS’s Operations Management Standard IS.012 )

1 recommendation
  • MSCBA should establish controls to ensure that configuration management procedures are in place to safeguard its accounting and project management system.agency: agreed
Agency response & Auditor reply
Agency: "The Authority will work with its IT consultants and vendors to develop an IT Configuration Management Plan."
Auditor: "Based on its response, MSCBA is taking measures to address our concerns regarding this matter."
MSCBA did not have established procedures to review audit logs.
cybersecurityinternal controls

Why it matters: Unauthorized user activity, security incidents, and policy violations could go undetected.

Standard: EOTSS Logging and Event Monitoring IS.011. ( EOTSS’s Logging and Event Monitoring IS.011 )

1 recommendation
  • MSCBA should ensure that audit logs are run for its accounting and project management system on a regular basis, so that system user activity is tracked.agency: agreed
Agency response & Auditor reply
Agency: "As previously noted, the Authority considers system access a critical component to minimizing risk and will investigate what reports, logs, and / or other tools are available to provide additional review capabilities of user activity to enhance internal controls."
Auditor: "Based on its response, MSCBA is taking measures to address our concerns regarding this matter."

Prior findings revisited

Being worked on
"During the current audit, we found that MSCBA has since developed a BCP, but it did not meet the requirements outlined by the Executive Office of Technology Services and Security (EOTSS)."
Being worked on
"In the current audit, we again identified deficiencies in MSCBA’s ICP."

More audits of this entity

Other Office of the State Auditor reports on Massachusetts State College Building Authority , including the prior audits referenced above.

See this entity's page with all 3 audits →